locked
Windows Powershell Script RRS feed

  • Question

  • Windows Powershell Script

    I am trying to write a scitpt to log onto a domain.

    This is what i am using so far and it is not working.

    $credential = New-Object System.Management.Automation.PsCredential("mydomain\user", (ConvertTo-SecureString "password" -AsPlainText -Force))
    Add-Computer -WorkGroupName TEMP -Credential $credential
    Add-Computer -DomainName "domain name" -Credential $credential
    Restart-Computer

    The aim is to be able to run this script from my PC evry 30 days-deploying accross many pc's in the office that are rarely used so they never drop off the domain. I need PC names in there to perfect this but right now i cant even get it to work on my own PC.

    Tuesday, December 13, 2016 3:52 PM

All replies

  • What do you mean by "so they never drop off the domain"?

    What specific problem are you trying to solve?


    -- Bill Stewart [Bill_Stewart]

    Tuesday, December 13, 2016 4:17 PM
  • By default, all domain joined computers request a new password every 30 days. As long as they are connected and running, they will get a new password. Even if they are not connected for some time, the next time they are connected they will get a new password.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by jrv Tuesday, December 13, 2016 7:18 PM
    Tuesday, December 13, 2016 4:20 PM
  • Bradley - see Richard's reply - this is why I am asking the question of what problem you're trying to solve?

    -- Bill Stewart [Bill_Stewart]

    Tuesday, December 13, 2016 4:25 PM
  • Basically the other machines that will require a reboot and to unjoin and rejoin the domain all in one script.

    But i can only manage to get it join the domain and not to unjoin.

    It only joins on the pc that i run it on. I would like to run it on my pc and it send it out to other pc's in the office to do what i need.

    Thanks

    Tuesday, December 13, 2016 4:33 PM
  • But that doesn't answer the question. Why do you need to unjoin and rejoin in the first place?

    -- Bill Stewart [Bill_Stewart]

    Tuesday, December 13, 2016 4:38 PM
  • becasue they are pc's that need to be used not very often in a data centre but i cannot get down there to add them back manually
    Tuesday, December 13, 2016 4:39 PM
  • Read Richard's reply first before you answer.

    I will reiterate my question: Why do the computers need to be rejoined to the domain at all?

    What specific problem are you really trying to fix?


    -- Bill Stewart [Bill_Stewart]

    Tuesday, December 13, 2016 4:47 PM
  • as soon as you dejoin domain your script dies at that line as your credentials are no longer valid
    Tuesday, December 13, 2016 5:31 PM
  • That's beside the point. Why do we need to rejoin? Old computer objects can rejoin a domain if they haven't been connected for a while. That is, unless the computer objects are being deleted. In that case, we have an entirely different problem. That's why we need to be clear about what the problem actually is. In other words, the OP needs to tell the actual problem rather than the attempted solution.

    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by jrv Tuesday, December 13, 2016 7:17 PM
    Tuesday, December 13, 2016 5:36 PM
  • Basically the other machines that will require a reboot and to unjoin and rejoin the domain all in one script.

    But i can only manage to get it join the domain and not to unjoin.

    It only joins on the pc that i run it on. I would like to run it on my pc and it send it out to other pc's in the office to do what i need.

    Thanks

    To join you must use the credentials for the domain AND the local admins credentials in the same command.  If a computer is not joined you must access it with local admin credentials as the domain credentials cannot authenticate on a non-domain computer.

    See the full help for the command as it has an explicit example of how to remotely join a computer.

    I agree with Bill and Richard.  There seems to be no point in all of this.


    \_(ツ)_/


    • Edited by jrv Tuesday, December 13, 2016 7:21 PM
    Tuesday, December 13, 2016 7:20 PM
  • Client computers can remain unconnected to the domain indefinitely. There should be no need to unjoin, then rejoin the domain.

    Edit: This is not true of domain controllers. They should never be off the domain beyond the tombstone lifetime, which by default is 180 days.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, December 13, 2016 7:50 PM
  • They drop off the domain after 30 days as it has been set to do so. They then need to be added back to the domain but can not access the machines physically. So i would need to run a script from here re-adding them back to the domain
    Wednesday, December 14, 2016 8:56 AM
  • Machines do not "drop off" the domain.  The machine account password is set, by default, to expire in 30 days.  When connected the workstation/AD resets the password frequently. If you constantly have machines that are not connected for more than 30 days just set a GPO to extend the password lifetime to as long as you need. This is the normal approach. Laptops currently default to longer (120 days?) because they can be disconnected for longer periods.

    Your issue is not uncommon it is just that you are not looking for the best answer because you have gotten stuck on only one solution due to lack of experience with Windows domains and normal enterprise methods of configuring to the local needs.   Part of the issue is likely due to issues with NT4 which had a much shorter :time to live" when disconnected.  We also didn't have Group Policy to fine tune the network.

    I would opt for the GP solution and not have to spend time managing something that can be configured for.

    See: https://technet.microsoft.com/en-us/library/jj852252(v=ws.11).aspx


    \_(ツ)_/

    Wednesday, December 14, 2016 9:08 AM
  • They drop off the domain after 30 days as it has been set to do so.
    As what has been set to do so? And why?

    -- Bill Stewart [Bill_Stewart]

    Wednesday, December 14, 2016 1:21 PM
  • They drop off the domain after 30 days as it has been set to do so.

    As what has been set to do so? And why?

    -- Bill Stewart [Bill_Stewart]

    That is the default password expiration in Windows AD. See: https://technet.microsoft.com/en-us/library/jj852252(v=ws.11).aspx


    \_(ツ)_/

    Wednesday, December 14, 2016 8:35 PM
  • This blog post disagrees. Yes, passwords need to be changed after 30 days, but only rarely must the computer rejoin the domain, even offline for months:

    https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/

    I am trying to figure out what jrv's link means.

    Edit: Quote from the blog by Ned Pyle I linked above:

    Machine account passwords as such do not expire in Active Directory. They are exempted from the domain’s password policy. It is important to remember that machine account password changes are driven by the CLIENT (computer), and not the AD. As long as no one has disabled or deleted the computer account, nor tried to add a computer with the same name to the domain, (or some other destructive action), the computer will continue to work no matter how long it has been since its machine account password was initiated and changed.

    So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time.
    Before we set the new password locally, we ensure we have a valid secure channel to the DC. If the client was never able to connect to the DC (where never is anything prior the time of the attempt – time to refresh the secure channel), then we will not change the password locally.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Wednesday, December 14, 2016 9:17 PM
  • I'm wondering if that policy overrides the default behavior. If so, it is new to me, and would seem a source of problems. I cannot find more info yet.

    Ordinarily, computer accounts only need to be reset if the secure channel (between client and DC) is lost. Usually this is because the client was restored to a previous state (perhaps a backup).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, December 14, 2016 9:41 PM
  • Then why is there a GP setting to control the password age for computer accounts? And why does a computer that has been shut off for three months fail to access the domain when it is restarted on the domain?

    The computer will try to reset its password periodically.  If it misses too many attempt then AD seems to not want to honor the trust.

    In NT4 this would occur if we left a S off for more than two weeks.  The aging was set to 7 days.   In WS2000 and later the aging is set to 30 days.   After more than 60 AD seems to drop the trust. 

    I have another W7 system coming back from a user after more thna 3 months and I will watch it more closely when it is reconnected.


    \_(ツ)_/

    Wednesday, December 14, 2016 9:42 PM
  • I'm wondering if that policy overrides the default behavior. If so, it is new to me, and would seem a source of problems. I cannot find more info yet.

    Ordinarily, computer accounts only need to be reset if the secure channel (between client and DC) is lost. Usually this is because the client was restored to a previous state (perhaps a backup).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    There is a clock.  It seems to be twice the base interval - 14+ for NT4 and 60+ post NT4.  I know this because NT4 was a real headache with workstations that were shut off when a temp left and turned back on when a new temp joined.  I tried to stop people from turning off the machines but that was before power saving was invented.

    Perhaps I am missing something but I cannot see what it is or why machines would do this.  Machines turned off for less than 60 days will restart correctly.    That is also a mystery when the aging is set to 30 days but, as in NT4 it seems to be twice the interval.  Laptops never seem to get lost and I remember a change in AD on WS2008, I believe, that said this was being changed.


    \_(ツ)_/

    Wednesday, December 14, 2016 9:47 PM
  • I just asked in the Directory Services forum:

    https://social.technet.microsoft.com/Forums/en-US/bb14e5ab-57d0-49a9-b95e-ab783232351c/machine-account-password-change-confusion?forum=winserverDS


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, December 14, 2016 10:39 PM
  • The only reply I got to my question in the Directory Services forum was a link to the blog post I linked above. That was the only reference I could find on the question, and it is very confusing to me. It contains the paragraph I quoted above, but then later talks about the 30/60 day sequence where the computer will lose the trust. I plan to test this to make sure, but it will require 60+ days, and a computer I don't plan to use for that long.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, December 22, 2016 2:00 PM